CoreCompliance

Security

Security by architecture, not by promise.

CCAI is designed for regulated environments. Security controls are structural — built into the data model, access layer, and deployment architecture.

Tenant Isolation

Each tenant operates in a fully isolated data scope. Configuration, screening results, evidence packages, and audit trails are scoped per tenant with no cross-tenant data access.

Authentication & Access

API access requires tenant-scoped API keys. Administrative endpoints require separate credentials. All API calls are logged with tenant context, trace IDs, and timestamps.

Encryption

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys are managed through cloud provider key management services with automatic rotation.

Audit Trail

Every API call, screening decision, and administrative action is logged in an append-only audit trail. Audit events include trace IDs for end-to-end correlation.

Infrastructure

Deployed on Google Cloud Platform with regional data residency options (US, EU). Infrastructure follows the principle of least privilege with network segmentation and managed firewalls.

Evidence Integrity

DecisionEventPackages are immutable once assembled. Evidence integrity is verified through hash binding and independently attested by the Intelligent Analyst verification layer.

Compliance Certifications

CCAI maintains compliance with industry standards for data security and privacy.

SOC 2 Type II

Security, Availability

HIPAA

Protected Health Information

GDPR

EU Data Protection

Security Inquiries

For security-related questions, vulnerability reports, or to request our SOC 2 report, contact us at security@corecompliance.ai.